WordPress Plugin Vulnerabilities

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program < 2.9.7.1 - Missing Authorization to Unauthenticated Withdrawal Request Approval

Description

The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action.

Affects Plugins

Plugin icon
mycred
Fixed in 2.9.7.1

References

CVE
CVE-2025-12362
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/af54654b-60af-446d-b170-ee0a1ebed22c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
f77378b8-f89f-4873-ae2b-13170c8579d9

Timeline

Publicly Published
2025-12-12 (about 6 months ago)
Added
2025-12-12 (about 6 months ago)
Last Updated
2025-12-13 (about 6 months ago)

Other

Published
Title
Published
2022-07-20
Title
Beaver Builder < 2.5.4.4 - Subscriber+ Arbitrary Post Builder Layout Disabling
Published
2026-03-23
Title
Coinbase Commerce – Crypto Gateway for WooCommerce <= 1.6.6 - Missing Authorization
Published
2026-02-18
Title
Elegant Pink < 1.3.4 - Missing Authorization
Published
2026-01-08
Title
Frontend Admin by DynamiApps < 3.28.26 - Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element
Published
2026-01-05
Title
ilGhera Support System for WooCommerce < 1.2.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion